2023 CISO现状报告-23页-WN7.pdf

State of the CISOA global report on priorities,pain points,and security gaps2023Survey conducted by:2State of the CISO Report 2023Table of ContentsIntroduction and Key FindingsSurvey Report FindingsTwo-Thirds of Companies Are Rolling Out More Digital Services Now Than Two Years AgoNearly 90%of CISOs say Digital Transformation Introduces Unforeseen RisksTalent Tops the List of Security Challenges Resulting from Digital TransformationLitigation Concern is Top Personal Challenge Created by Digital TransformationSupply Chain and APIs are Biggest Security Control Gaps in Digital Initiatives78%of Organizations Place a Higher Priority on API Security Now vs.Two Years AgoNearly All CISOs Plan to Prioritize API Security over the Next Two YearsA Variety of Global Developments are Significantly Impacting CISOs TodayThe Struggle to Find Qualified Cybersecurity Talent is Impacting Digital TransformationBoards of Directors are Knowledgeable about CybersecurityWhile Security Budgets Have Increased,Security Spending Power has DecreasedDemographicsAbout Salt Security3891011121314151617181920223State of the CISO Report 2023Introduction and Key Findings4State of the CISO Report 2023Introduction and MethodologyDigital initiatives represent the cornerstone of business innovation today,and the rollout of these new services has had a tremendous impact on companies around the globe.In this survey,we set out to discover how the digital-first economy has specifically impacted the role of the CISO/CSO.In addition to bringing awareness to the evolving role of the CISO,the survey strove to delve into the broader business ramifications of these changes,so organizations can better understand how digital initiatives are impacting risk and how companies can better protect themselves.The survey asked CISOs about the effects of digitalization across a number of different dimensions from the top security and personal challenges,to the biggest security control gaps,to the struggle to find good talent,to the impact that global trends are having,to the cyber knowledge level of their boards of directors.The rapid pace of the digital-first economy has transformed the role of the CISO.For CISOs around the world,the adoption of digitalization has made securing critical data more challenging than ever before.But the challenges extend beyond business impacts.CISOs cite many personal challenges that have also resulted from the acceleration of digitalization.They fear potential litigation as a result of security breaches,they have more job-related stress,they worry about personal liability,and they often dont have enough time to fulfill the requirements of their job.Global trends have also played a part in transforming the CISO role in particular,the speed of AI adoption.AI has become more widely used by cyber criminals across the globe,giving them the ability to dramatically scale their attacks and cause harm to organizations.To counter these threats,CISOs themselves must harness the power of AI for good,using it to“catch”and stop AI-driven attacks,putting more pressure on them to quickly adopt new solutions to safeguard their and their customers critical assets.Perhaps the most significant findings are the security control gaps that have arisen as a consequence of new digital initiatives.Digitalization has generated multiple security threats and risks,the biggest among them the application programming interface(API).Foundational to how applications are built today,APIs also play a crucial role in other top areas of CISO concern,including third-party vendors/supply chains and cloud-based applications.This huge and expanding attack surface gives bad actors many access points into organizations digital applications and data.Consequently,APIs have become an increasingly attractive target for cyber criminals.Why?Theyre relatively easy to hack,attacks are difficult to detect and cant be found by existing security tooling,and the rewards for successfully hacking APIs are very high because APIs transport companies most valuable digital data.In fact,the attack surface has grown so significantly,APIs are predicted to become the biggest security vulnerability ever,according to industry research firm Gartner.While awareness of the need for API security has clearly grown,its implementation is not yet pervasive.Being on the security front lines,CISOs feel the risks of digitalization most sharply.But the potential impact of a digital breach affects the entire enterprise,costing organizations not only in damage to their brand reputation but also in mitigation costs,fines,and potential litigation.Therefore,increasing security for these vital digital initiatives must be a priority for the whole business not just the security team.C-level executives must do their part to enable and aid the business by prioritizing and funding new security requirements created by digitalization.Digital transformation is all about moving fast.To drive business acceleration,security must“not get in the way”while simultaneously ensuring the safety of the organizations critical data and services.By closing the top security control gaps caused by digitalization,companies can help alleviate the concern that“moving fast could put the business at risk.”MethodologyTo get more insight into current priorities,security gaps and pain points for C-level security leaders,we commissioned a survey of 300 CISOs/CSOs.Global Surveyz Research,an independent survey company,administered the survey online.Respondents represented companies in the US,UK,Western Europe(France,Netherlands)and Brazil,with 500 or more employees,across a variety of industries,including financial services(including fintech),healthcare,insurance,pharmaceutical,and eCommerce.The respondents were recruited through a global B2B research panel and invited via email to complete the survey,with all responses collected during April 2023.The average amount of time spent on the survey was 7 minutes and 30 seconds.The answers to most of the non-numerical questions were randomized to prevent order bias in the answers.5State of the CISO Report 2023Key FindingsThe Healthcare and Financial Services industries face the biggest security impact due to the rapid pace of digital transformation initiativesThe proliferation of modern digital services and applications continues to complicate the security landscape and introduce new security control gaps.89%of CISOs worldwide agree that moving fast with digital transformation can introduce unforeseen risks in securing organization data(Figure 2).However,of those who agree most strongly(37%),the top two industries(Figure 3)are healthcare(47%)and financial services or technologies(43%),which makes sense,as these sectors are experiencing a comparatively high level of digital innovation and disruption.Because offering digital services has become critical in these industries to remain competitive and meet consumer expectations,healthcare and financial services organizations introduce new digital services at a faster pace.Consequently,these sectors see more“pain”and challenges earlier and more frequently than in other industries.Paradoxically,the survey also shows that these sectors have the most difficulty justifying the cost of security investments to protect new digital transformation initiatives(Figure 5),making the CISO role in healthcare and financial services even more challenging.21Almost half of CISOs worldwide have concerns that a security breach in their organization may result in personal litigation and liabilityVirtually all respondents(99%)admit they face personal challenges as a result of digital transformation(Figure 6),with the top concerns being personal litigation stemming from security breaches(48%)and increased personal risk/liability(45%).With several high-profile CISO lawsuits making waves recently,the trend of security leaders opting for roles below CISO level,or requesting indemnification,is growing.CISOs have fears of being found personally liable in the event of a security breach,potentially putting their own livelihood at risk.To alleviate fears,organizations need security processes and tooling that provide CISOs with a comprehensive view into potential security risks.With proven risk mitigation capabilities,CISOs can more effectively demonstrate and close security control gaps,gaining reassurance and lowering their concerns regarding personal liability.At a time when the CISO role is more important than ever,senior-level company executives cannot risk losing the best candidates to worries over personal risk or litigation.6State of the CISO Report 20234378%of CISOs are prioritizing API security more highly than two years ago,and 95%of CISOs say API security is a planned priority over the next two yearsWith the growth of the digital-first economy over the past couple of years,the usage of APIs has exploded.As the glue that drives all digital initiatives,APIs either directly or indirectly impact most of the top security control gaps.They also have the most potential to impede the success of an organizations digital transformation programs.Given the fact that APIs are embedded into all digital services,its not surprising that 78%of respondents say their organizations are prioritizing API security more highly now,compared to 2021(Figure 8).Moreover,CISOs say API security prioritization will increase further,with 95%of CISOs worldwide reporting their organizations have made API security a planned priority over the next two years.The biggest security control gap for CISOs in their digital initiatives(Figure 7)is supply chain/third-party vendors(38%).Because effective data sharing across third parties and supply chains relies on APIs to function,this gap also further highlights the API security pain point.Business innovation,digitalization,cloud migration,and effective API security are all tightly interrelated.Working on these initiatives in a unified way helps businesses reduce their risk.The speed of AI adoption is the global development most impacting the CISOs roleMultiple global developments are contributing to the complexity of the CISO role,including macro-economic uncertainty,the geo-political climate,and layoffs(Figure 11).But the leading global trend impacting CISOs worldwide when combining respondents ratings of medium,high,and very high impact is the speed of AI adoption(94%).The rise of AI in virtually every industry has transformed the security landscape,and CISOs worry about how this dynamic will affect their organizations.AI serves as a unique cyber defense tool with its ability to quickly analyze large volumes of data and assess and learn from potential attacks.However,AI can also be a security threat.Cyber criminals have already turned to AI for its ability to provide new ways to attack organizations infrastructures.Using more widely available generative AI technologies,such as Chat GPT,for example,bad actors can generate malicious emails and even script attacks at a much faster rate.CISOs must always understand the adversary,and the adversary is using AI.As CISOs learn to navigate the associated threats and security ramifications of AI,they must also learn to harness AI“defensively”for their organizations security.7State of the CISO Report 202391%of CISOs say hiring of qualified cybersecurity talent remains a significant issue to deliver digital transformation initiativesBecause digital services introduce new types of cybersecurity attacks,its defense demands new knowledge and capabilities,making the hiring of qualified talent essential.91%of CISOs say that qualified cybersecurity talent is critical to their ability to deliver digital transformation initiatives(Figure 12).In addition,CISOs cite the lack of qualified cybersecurity talent as the top security challenge resulting from digitalization.(Figure 4).The shortage of sufficiently qualified talent makes it harder for organizations to find and hire people who understand the new technologies and have the skills necessary to address the new security risks and challenges.Moreover,the inability to find and retain qualified security talent can hinder CISOs and businesses success in a digital-first world.As organizations accelerate their digital transformation efforts,they naturally increase the use of APIs in many areas of business and AI.So its promising to see that their API security efforts are finally moving upward.Sometimes companies can be penny wise but pound foolish when it comes to security investments.But given the high cost of major personal data breaches,API security has to rise in prominence,and do so sharply,in the near future.”Anton Chuvakin,security advisor at Office of the CISO,Google CloudWe are entering the new reality of the“AI era”of cyber.CISOs know that AI attacks are evolving and becoming increasingly sophisticated and that theyre growing at an unprecedented rate.With security teams already at capacity defending a broad attack surface,the impact of escalating AI threats as well as the necessity to implement an AI offense clearly weighs heavily on todays CISOs.”Ed Amoroso,founder and CEO of TAG InfoSphere58State of the CISO Report 2023Survey Report Findings9State of the CISO Report 2023Two-Thirds of Companies Are Rolling Out More Digital Services Now Than Two Years AgoTwo thirds(66%)of CISOs worldwide say that they are deploying more digital transformation initiatives now compared to two years ago.Digital services have become essential to deliver modern business innovation,maintain a competitive advantage,and generate revenue growth.Companies lagging behind in digital transformation initiatives will find it increasingly difficult to compete with those who are embracing new digital services and thriving as a result.Figure 1:Frequency of rolling out new digital services compared to two years agoA lot less More,comparedto 202166%2%A lot moreA little moreAbout the sameA littleless25%41%22%10%10State of the CISO Report 2023Nearly 90%of CISOs say Digital Transformation Introduces Unforeseen Risks89%of CISOs say that moving fast with digital transformation initiatives introduces unforeseen risks in securing company data,while only 10%slightly disagree with that claim,and a mere 1%very much disagree.Financial services and healthcare organizations appear to feel the pain of digitalization more acutely than other industries.While 37%of CISOs worldwide say they“very much agree”that digital services create additional risk,the number jumps to 43%for CISOs in financial services and 47%for CISOs in healthcare organizations.For these industries,in particular,participating in the digital economy is a top business priority.The ability to innovate and bring new services to market quickly is essential to meet changing customer expectations in their sectors.Moreover,ensuring the safety of critical financial and personal health data in these industries is also paramount.Figure 2:Moving fast with digital transformation initiatives